File name: | 4fcaa03ad1d439570a2a10ebfd3e7adc.exe |
Full analysis: | https://app.any.run/tasks/c0090554-ac5a-4fbd-81a9-42e86503fb08 |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 22:38:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive |
MD5: | 4FCAA03AD1D439570A2A10EBFD3E7ADC |
SHA1: | 0A3CCF1AAAA02262CA6CB4199E8C2AC0B2646D60 |
SHA256: | DF5B822CFB367FB862DCE788D16009B0299461C8543C5098009FB85DD2150170 |
SSDEEP: | 49152:6QdjyETo5FdrAskBUq9a/BBU4IPSWanwJB:6Qi3drAszq96oKW2wJB |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0xb4b5 |
UninitializedDataSize: | - |
InitializedDataSize: | 202752 |
CodeSize: | 72192 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2011:03:02 08:40:24+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 02-Mar-2011 07:40:24 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 02-Mar-2011 07:40:24 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000118E0 | 0x00011A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.5511 |
.rdata | 0x00013000 | 0x00001C15 | 0x00001E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.86525 |
.data | 0x00015000 | 0x0000FF2C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.51849 |
.CRT | 0x00025000 | 0x00000010 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.213101 |
.rsrc | 0x00026000 | 0x0002F454 | 0x0002F600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.01567 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.20816 | 1464 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 4.01157 | 67624 | Latin 1 / Western European | Process Default Language | RT_ICON |
3 | 4.2437 | 38056 | Latin 1 / Western European | Process Default Language | RT_ICON |
4 | 4.24704 | 21640 | Latin 1 / Western European | Process Default Language | RT_ICON |
5 | 4.19004 | 16936 | Latin 1 / Western European | Process Default Language | RT_ICON |
6 | 4.35882 | 9640 | Latin 1 / Western European | Process Default Language | RT_ICON |
7 | 3.24143 | 556 | Latin 1 / Western European | English - United States | RT_STRING |
8 | 3.26996 | 974 | Latin 1 / Western European | English - United States | RT_STRING |
9 | 3.04375 | 530 | Latin 1 / Western European | English - United States | RT_STRING |
10 | 3.16254 | 776 | Latin 1 / Western European | English - United States | RT_STRING |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
KERNEL32.dll |
OLEAUT32.dll |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2972 | "C:\Users\admin\AppData\Local\Temp\4fcaa03ad1d439570a2a10ebfd3e7adc.exe" | C:\Users\admin\AppData\Local\Temp\4fcaa03ad1d439570a2a10ebfd3e7adc.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3436 | "C:\Users\admin\AppData\Roaming\WinSupUpdate\client32.exe" | C:\Users\admin\AppData\Roaming\WinSupUpdate\client32.exe | 4fcaa03ad1d439570a2a10ebfd3e7adc.exe | ||||||||||||
User: admin Company: NetSupport Ltd Integrity Level: MEDIUM Description: NetSupport Client Application Version: V12.50 Modules
|
(PID) Process: | (2972) 4fcaa03ad1d439570a2a10ebfd3e7adc.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR SFX |
Operation: | write | Name: | C%%Users%admin%AppData%Roaming |
Value: C:\Users\admin\AppData\Roaming | |||
(PID) Process: | (2972) 4fcaa03ad1d439570a2a10ebfd3e7adc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2972) 4fcaa03ad1d439570a2a10ebfd3e7adc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2972) 4fcaa03ad1d439570a2a10ebfd3e7adc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2972) 4fcaa03ad1d439570a2a10ebfd3e7adc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3436) client32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3436) client32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3436) client32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3436) client32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3436) client32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2972 | 4fcaa03ad1d439570a2a10ebfd3e7adc.exe | C:\Users\admin\AppData\Roaming\WinSupUpdate\client32.ini | text | |
MD5:25521495785333207F6C7F7D414EBE24 | SHA256:1A2F037745420629476275F08DD8238F6FBE0C73A971A0BBD37295ED1AE29D15 | |||
3436 | client32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\loca[1].htm | text | |
MD5:FB5380579A079236CA231042BFD5AB83 | SHA256:5186BA244D69EF4B57675FDD488BA07DA4CC93D850566FEFBBF220CAF92CCE49 | |||
2972 | 4fcaa03ad1d439570a2a10ebfd3e7adc.exe | C:\Users\admin\AppData\Roaming\WinSupUpdate\client32.exe | executable | |
MD5:F76954B68CC390F8009F1A052283A740 | SHA256:63315DF7981130853D75DC753E5776BDF371811BCFCE351557C1E45AFDD1EBFB | |||
2972 | 4fcaa03ad1d439570a2a10ebfd3e7adc.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunings.ini.lnk | lnk | |
MD5:86079A13D10BE114A94CED20E8DF6608 | SHA256:6FFD5BBC8DE69981654A604850EEBDA04D1ADE4E984ADC01227C84031E8DF627 | |||
2972 | 4fcaa03ad1d439570a2a10ebfd3e7adc.exe | C:\Users\admin\AppData\Roaming\WinSupUpdate\AudioCapture.dll | executable | |
MD5:771E97F76E213ED2D2B0B7C6639E1C68 | SHA256:8AF1DD14B521D96D711B0EC5E1651D961B5F0D6AC18FBEE3EF66E065E9766F72 | |||
2972 | 4fcaa03ad1d439570a2a10ebfd3e7adc.exe | C:\Users\admin\AppData\Roaming\WinSupUpdate\nskbfltr.inf | binary | |
MD5:26E28C01461F7E65C402BDF09923D435 | SHA256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368 | |||
2972 | 4fcaa03ad1d439570a2a10ebfd3e7adc.exe | C:\Users\admin\AppData\Roaming\WinSupUpdate\HTCTL32.DLL | executable | |
MD5:2D3B207C8A48148296156E5725426C7F | SHA256:EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796 | |||
2972 | 4fcaa03ad1d439570a2a10ebfd3e7adc.exe | C:\Users\admin\AppData\Roaming\WinSupUpdate\NSM.ini | binary | |
MD5:88B1DAB8F4FD1AE879685995C90BD902 | SHA256:60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92 | |||
2972 | 4fcaa03ad1d439570a2a10ebfd3e7adc.exe | C:\Users\admin\AppData\Roaming\WinSupUpdate\NSM.LIC | text | |
MD5:8614C2008044A081E9D26D8DB1571F4A | SHA256:DF622FC8BC605023730D3AD952D69FCBD8383CE5440D63DA0DF20FB139355EC9 | |||
2972 | 4fcaa03ad1d439570a2a10ebfd3e7adc.exe | C:\Users\admin\AppData\Roaming\WinSupUpdate\PCICHEK.DLL | executable | |
MD5:A0B9388C5F18E27266A31F8C5765B263 | SHA256:313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3436 | client32.exe | GET | 200 | 195.171.92.116:80 | http://geo.netsupportsoftware.com/location/loca.asp | GB | text | 15 b | suspicious |
3436 | client32.exe | POST | 200 | 195.201.98.86:3624 | http://195.201.98.86/fakeurl.htm | RU | binary | 159 b | suspicious |
3436 | client32.exe | POST | 200 | 195.201.98.86:3624 | http://195.201.98.86/fakeurl.htm | RU | binary | 61 b | suspicious |
3436 | client32.exe | POST | — | 195.201.98.86:3624 | http://195.201.98.86/fakeurl.htm | RU | — | — | suspicious |
3436 | client32.exe | POST | — | 195.201.98.86:3624 | http://195.201.98.86/fakeurl.htm | RU | — | — | suspicious |
3436 | client32.exe | POST | — | 195.201.98.86:3624 | http://195.201.98.86/fakeurl.htm | RU | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3436 | client32.exe | 195.201.98.86:3624 | bursaebre2.com | Awanti Ltd. | RU | suspicious |
3436 | client32.exe | 195.171.92.116:80 | geo.netsupportsoftware.com | British Telecommunications PLC | GB | suspicious |
Domain | IP | Reputation |
---|---|---|
bursaebre2.com |
| suspicious |
geo.netsupportsoftware.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3436 | client32.exe | Potential Corporate Privacy Violation | ET POLICY NetSupport GeoLocation Lookup Request |
3436 | client32.exe | A Network Trojan was detected | ET INFO NetSupport Remote Admin Checkin |
3436 | client32.exe | A Network Trojan was detected | ET INFO NetSupport Remote Admin Response |
3436 | client32.exe | A Network Trojan was detected | ET INFO NetSupport Remote Admin Checkin |
3436 | client32.exe | A Network Trojan was detected | ET INFO NetSupport Remote Admin Response |
3436 | client32.exe | A Network Trojan was detected | ET INFO NetSupport Remote Admin Checkin |
3436 | client32.exe | A Network Trojan was detected | ET INFO NetSupport Remote Admin Checkin |